Analysis of AppArmor related scripts and services (2)

Continued from the previous article: Analysis of AppArmor-related scripts and services (1)

The previous article talked about the __apparmor_restart function in the reload process in /lib/apparmor/apparmor.systemd. This article continues to analyze.

The core of the __apparmor_restart function is the following statement:

parse_profiles reload

The parse_profiles function is in /lib/apparmor/rc.apparmor.functions, the code is as follows:

parse_profiles() {
        # get parser arg
        case "$1" in
                load)
                        PARSER_CMD="--add"
                        PARSER_MSG="Loading AppArmor profiles "
                        ;;
                reload)
                        PARSER_CMD="--replace"
                        PARSER_MSG="Reloading AppArmor profiles "
                        ;;
                *)
                        aa_log_failure_msg "required 'load' or 'reload'"
                        exit 1
                        ;;
        esac
        aa_log_action_start "$PARSER_MSG"
        # run the parser on all of the apparmor profiles
        if [ ! -f "$PARSER" ]; then
                aa_log_failure_msg "AppArmor parser not found"
                exit 1
        fi

        for profile_dir in $PROFILE_DIRS; do
                __parse_profiles_dir "$PARSER_CMD" "$profile_dir" || STATUS=$?
        done

        aa_log_action_end "$STATUS"
        return "$STATUS"
}

PARSER is in the same file (/lib/apparmor/rc.apparmor.functions), as follows:

PARSER=/sbin/apparmor_parser

Apparmor_parser exists in the author's system, as shown below:

$ ls /sbin/apparmor_parser
/sbin/apparmor_parser

PROFILES_DIRS is also in the same file (/lib/apparmor/rc.apparmor.functions), as follows:

if [ -d /etc/apparmor.d ] ; then
        PROFILE_DIRS=/etc/apparmor.d
else
        aa_log_warning_msg "Unable to find profiles directory, installation problem?"
fi

/etc/apparmor.d exists in the author's system, as follows:

$ ls -d /etc/apparmor.d
/etc/apparmor.d

Next execute to the following code snippet:

 for profile_dir in $PROFILE_DIRS; do
         __parse_profiles_dir "$PARSER_CMD" "$profile_dir" || STATUS=$?
done

This piece of code expands as follows:

 for profile_dir in /etc/apparmor.d; do
         __parse_profiles_dir --replace $profile_dir || STATUS=$?
done

The actual execution result of the author is (after printing):

__parse_profiles_dir --replace /etc/apparmor.d

__parse_profiles_dir is in the same file (/lib/apparmor/rc.apparmor.functions), the code is as follows:

__parse_profiles_dir() {
        local parser_cmd="$1"
        local profile_dir="$2"
        local status=0

        if [ ! -d "$profile_dir" ]; then
                aa_log_failure_msg "Profile directory not found: $profile_dir"
                return 1
        fi

        if [ -z "$(ls "$profile_dir"/)" ]; then
                aa_log_failure_msg "No profiles found in $profile_dir"
                return 1
        fi

        # shellcheck disable=SC2086
        if ! "$PARSER" $PARSER_OPTS "$parser_cmd" -- "$profile_dir"; then
                status=1
                aa_log_failure_msg "At least one profile failed to load"
        fi
        return "$status"
}

"$PARSER" $PARSER_OPTS "$parser_cmd" -- "$profile_dir" expands to:

/sbin/apparmor_parser --replace -- /etc/apparmor.d

The rest will continue to be analyzed in subsequent articles.